mirrors
/
jgit
mirror of https://github.com/eclipse/jgit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 204 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8141 Commits
49 Branches
Tree: 21262e98fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '21262e98fe'
${ noResults }
jgit/org.eclipse.jgit.junit.ssh/src/org/eclipse/jgit/junit/ssh/SshTestGitServer.java

SshTestGitServer.java 16KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542 
  1. /*

  2.  * Copyright (C) 2018, 2020 Thomas Wolf <thomas.wolf@paranor.ch> and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.junit.ssh;

  11. 

  12. import java.io.ByteArrayInputStream;

  13. import java.io.IOException;

  14. import java.io.InputStream;

  15. import java.io.OutputStream;

  16. import java.nio.charset.StandardCharsets;

  17. import java.nio.file.Files;

  18. import java.nio.file.Path;

  19. import java.security.GeneralSecurityException;

  20. import java.security.KeyPair;

  21. import java.security.PublicKey;

  22. import java.text.MessageFormat;

  23. import java.util.ArrayList;

  24. import java.util.Collections;

  25. import java.util.List;

  26. import java.util.Locale;

  27. import java.util.concurrent.TimeUnit;

  28. 

  29. import org.apache.sshd.common.NamedResource;

  30. import org.apache.sshd.common.PropertyResolver;

  31. import org.apache.sshd.common.PropertyResolverUtils;

  32. import org.apache.sshd.common.SshConstants;

  33. import org.apache.sshd.common.config.keys.AuthorizedKeyEntry;

  34. import org.apache.sshd.common.config.keys.KeyUtils;

  35. import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;

  36. import org.apache.sshd.common.file.virtualfs.VirtualFileSystemFactory;

  37. import org.apache.sshd.common.session.Session;

  38. import org.apache.sshd.common.util.buffer.Buffer;

  39. import org.apache.sshd.common.util.security.SecurityUtils;

  40. import org.apache.sshd.common.util.threads.CloseableExecutorService;

  41. import org.apache.sshd.common.util.threads.ThreadUtils;

  42. import org.apache.sshd.server.ServerAuthenticationManager;

  43. import org.apache.sshd.server.ServerFactoryManager;

  44. import org.apache.sshd.server.SshServer;

  45. import org.apache.sshd.server.auth.UserAuth;

  46. import org.apache.sshd.server.auth.UserAuthFactory;

  47. import org.apache.sshd.server.auth.gss.GSSAuthenticator;

  48. import org.apache.sshd.server.auth.gss.UserAuthGSS;

  49. import org.apache.sshd.server.auth.gss.UserAuthGSSFactory;

  50. import org.apache.sshd.server.auth.keyboard.DefaultKeyboardInteractiveAuthenticator;

  51. import org.apache.sshd.server.command.AbstractCommandSupport;

  52. import org.apache.sshd.server.session.ServerSession;

  53. import org.apache.sshd.server.shell.UnknownCommand;

  54. import org.apache.sshd.server.subsystem.SubsystemFactory;

  55. import org.apache.sshd.server.subsystem.sftp.SftpSubsystemFactory;

  56. import org.eclipse.jgit.annotations.NonNull;

  57. import org.eclipse.jgit.annotations.Nullable;

  58. import org.eclipse.jgit.lib.Repository;

  59. import org.eclipse.jgit.transport.ReceivePack;

  60. import org.eclipse.jgit.transport.RemoteConfig;

  61. import org.eclipse.jgit.transport.UploadPack;

  62. 

  63. /**

  64.  * A simple ssh/sftp git <em>test</em> server based on Apache MINA sshd.

  65.  * <p>

  66.  * Supports only a single repository. Authenticates only the given test user

  67.  * against his given test public key. Supports fetch and push.

  68.  * </p>

  69.  *

  70.  * @since 5.2

  71.  */

  72. public class SshTestGitServer {

  73. 

  74. 	/**

  75. 	 * Simple echo test command. Replies with the command string as passed. If

  76. 	 * of the form "echo [int] anything", takes the integer value as a delay in

  77. 	 * seconds before replying, which may be useful to test various

  78. 	 * timeout-related things.

  79. 	 *

  80. 	 * @since 5.9

  81. 	 */

  82. 	public static final String ECHO_COMMAND = "echo";

  83. 

  84. 	@NonNull

  85. 	protected final String testUser;

  86. 

  87. 	@NonNull

  88. 	protected final Repository repository;

  89. 

  90. 	@NonNull

  91. 	protected final List<KeyPair> hostKeys = new ArrayList<>();

  92. 

  93. 	protected final SshServer server;

  94. 

  95. 	@NonNull

  96. 	protected PublicKey testKey;

  97. 

  98. 	private final CloseableExecutorService executorService = ThreadUtils

  99. 			.newFixedThreadPool("SshTestGitServerPool", 2);

  100. 

  101. 	/**

  102. 	 * Creates a ssh git <em>test</em> server. It serves one single repository,

  103. 	 * and accepts public-key authentication for exactly one test user.

  104. 	 *

  105. 	 * @param testUser

  106. 	 *            user name of the test user

  107. 	 * @param testKey

  108. 	 *            public key file of the test user

  109. 	 * @param repository

  110. 	 *            to serve

  111. 	 * @param hostKey

  112. 	 *            the unencrypted private key to use as host key

  113. 	 * @throws IOException

  114. 	 * @throws GeneralSecurityException

  115. 	 */

  116. 	public SshTestGitServer(@NonNull String testUser, @NonNull Path testKey,

  117. 			@NonNull Repository repository, @NonNull byte[] hostKey)

  118. 			throws IOException, GeneralSecurityException {

  119. 		this(testUser, readPublicKey(testKey), repository,

  120. 				readKeyPair(hostKey));

  121. 	}

  122. 

  123. 	/**

  124. 	 * Creates a ssh git <em>test</em> server. It serves one single repository,

  125. 	 * and accepts public-key authentication for exactly one test user.

  126. 	 *

  127. 	 * @param testUser

  128. 	 *            user name of the test user

  129. 	 * @param testKey

  130. 	 *            public key file of the test user

  131. 	 * @param repository

  132. 	 *            to serve

  133. 	 * @param hostKey

  134. 	 *            the unencrypted private key to use as host key

  135. 	 * @throws IOException

  136. 	 * @throws GeneralSecurityException

  137. 	 * @since 5.9

  138. 	 */

  139. 	public SshTestGitServer(@NonNull String testUser, @NonNull Path testKey,

  140. 			@NonNull Repository repository, @NonNull KeyPair hostKey)

  141. 			throws IOException, GeneralSecurityException {

  142. 		this(testUser, readPublicKey(testKey), repository, hostKey);

  143. 	}

  144. 

  145. 	/**

  146. 	 * Creates a ssh git <em>test</em> server. It serves one single repository,

  147. 	 * and accepts public-key authentication for exactly one test user.

  148. 	 *

  149. 	 * @param testUser

  150. 	 *            user name of the test user

  151. 	 * @param testKey

  152. 	 *            the {@link PublicKey} of the test user

  153. 	 * @param repository

  154. 	 *            to serve

  155. 	 * @param hostKey

  156. 	 *            the {@link KeyPair} to use as host key

  157. 	 * @since 5.9

  158. 	 */

  159. 	public SshTestGitServer(@NonNull String testUser,

  160. 			@NonNull PublicKey testKey, @NonNull Repository repository,

  161. 			@NonNull KeyPair hostKey) {

  162. 		this.testUser = testUser;

  163. 		setTestUserPublicKey(testKey);

  164. 		this.repository = repository;

  165. 		server = SshServer.setUpDefaultServer();

  166. 		hostKeys.add(hostKey);

  167. 		server.setKeyPairProvider((session) -> hostKeys);

  168. 

  169. 		configureAuthentication();

  170. 

  171. 		List<SubsystemFactory> subsystems = configureSubsystems();

  172. 		if (!subsystems.isEmpty()) {

  173. 			server.setSubsystemFactories(subsystems);

  174. 		}

  175. 

  176. 		configureShell();

  177. 

  178. 		server.setCommandFactory((channel, command) -> {

  179. 			if (command.startsWith(RemoteConfig.DEFAULT_UPLOAD_PACK)) {

  180. 				return new GitUploadPackCommand(command, executorService);

  181. 			} else if (command.startsWith(RemoteConfig.DEFAULT_RECEIVE_PACK)) {

  182. 				return new GitReceivePackCommand(command, executorService);

  183. 			} else if (command.startsWith(ECHO_COMMAND)) {

  184. 				return new EchoCommand(command, executorService);

  185. 			}

  186. 			return new UnknownCommand(command);

  187. 		});

  188. 	}

  189. 

  190. 	private static PublicKey readPublicKey(Path key)

  191. 			throws IOException, GeneralSecurityException {

  192. 		return AuthorizedKeyEntry.readAuthorizedKeys(key).get(0)

  193. 				.resolvePublicKey(null, PublicKeyEntryResolver.IGNORING);

  194. 	}

  195. 

  196. 	private static KeyPair readKeyPair(byte[] keyMaterial)

  197. 			throws IOException, GeneralSecurityException {

  198. 		try (ByteArrayInputStream in = new ByteArrayInputStream(keyMaterial)) {

  199. 			return SecurityUtils.loadKeyPairIdentities(null, null, in, null)

  200. 					.iterator().next();

  201. 		}

  202. 	}

  203. 

  204. 	private static class FakeUserAuthGSS extends UserAuthGSS {

  205. 		@Override

  206. 		protected @Nullable Boolean doAuth(Buffer buffer, boolean initial)

  207. 				throws Exception {

  208. 			// We always reply that we did do this, but then we fail at the

  209. 			// first token message. That way we can test that the client-side

  210. 			// sends the correct initial request and then is skipped correctly,

  211. 			// even if it causes a GSSException if Kerberos isn't configured at

  212. 			// all.

  213. 			if (initial) {

  214. 				ServerSession session = getServerSession();

  215. 				Buffer b = session.createBuffer(

  216. 						SshConstants.SSH_MSG_USERAUTH_INFO_REQUEST);

  217. 				b.putBytes(KRB5_MECH.getDER());

  218. 				session.writePacket(b);

  219. 				return null;

  220. 			}

  221. 			return Boolean.FALSE;

  222. 		}

  223. 	}

  224. 

  225. 	private List<UserAuthFactory> getAuthFactories() {

  226. 		List<UserAuthFactory> authentications = new ArrayList<>();

  227. 		authentications.add(new UserAuthGSSFactory() {

  228. 			@Override

  229. 			public UserAuth createUserAuth(ServerSession session)

  230. 					throws IOException {

  231. 				return new FakeUserAuthGSS();

  232. 			}

  233. 		});

  234. 		authentications.add(

  235. 				ServerAuthenticationManager.DEFAULT_USER_AUTH_PUBLIC_KEY_FACTORY);

  236. 		authentications.add(

  237. 				ServerAuthenticationManager.DEFAULT_USER_AUTH_KB_INTERACTIVE_FACTORY);

  238. 		authentications.add(

  239. 				ServerAuthenticationManager.DEFAULT_USER_AUTH_PASSWORD_FACTORY);

  240. 		return authentications;

  241. 	}

  242. 

  243. 	/**

  244. 	 * Configures the authentication mechanisms of this test server. Invoked

  245. 	 * from the constructor. The default sets up public key authentication for

  246. 	 * the test user, and a gssapi-with-mic authenticator that pretends to

  247. 	 * support this mechanism, but that then refuses to authenticate anyone.

  248. 	 */

  249. 	protected void configureAuthentication() {

  250. 		server.setUserAuthFactories(getAuthFactories());

  251. 		// Disable some authentications

  252. 		server.setPasswordAuthenticator(null);

  253. 		server.setKeyboardInteractiveAuthenticator(null);

  254. 		server.setHostBasedAuthenticator(null);

  255. 		// Pretend we did gssapi-with-mic.

  256. 		server.setGSSAuthenticator(new GSSAuthenticator() {

  257. 			@Override

  258. 			public boolean validateInitialUser(ServerSession session,

  259. 					String user) {

  260. 				return false;

  261. 			}

  262. 		});

  263. 		// Accept only the test user/public key

  264. 		server.setPublickeyAuthenticator((userName, publicKey, session) -> {

  265. 			return SshTestGitServer.this.testUser.equals(userName) && KeyUtils

  266. 					.compareKeys(SshTestGitServer.this.testKey, publicKey);

  267. 		});

  268. 	}

  269. 

  270. 	/**

  271. 	 * Configures the test server's subsystems (sftp, scp). Invoked from the

  272. 	 * constructor. The default provides a simple SFTP setup with the root

  273. 	 * directory as the given repository's .git directory's parent. (I.e., at

  274. 	 * the directory containing the .git directory.)

  275. 	 *

  276. 	 * @return A possibly empty collection of subsystems.

  277. 	 */

  278. 	@NonNull

  279. 	protected List<SubsystemFactory> configureSubsystems() {

  280. 		// SFTP.

  281. 		server.setFileSystemFactory(new VirtualFileSystemFactory() {

  282. 

  283. 			@Override

  284. 			protected Path computeRootDir(Session session) throws IOException {

  285. 				return SshTestGitServer.this.repository.getDirectory()

  286. 						.getParentFile().getAbsoluteFile().toPath();

  287. 			}

  288. 		});

  289. 		return Collections

  290. 				.singletonList((new SftpSubsystemFactory.Builder()).build());

  291. 	}

  292. 

  293. 	/**

  294. 	 * Configures shell access for the test server. The default provides no

  295. 	 * shell at all.

  296. 	 */

  297. 	protected void configureShell() {

  298. 		// No shell

  299. 		server.setShellFactory(null);

  300. 	}

  301. 

  302. 	/**

  303. 	 * Adds an additional host key to the server.

  304. 	 *

  305. 	 * @param key

  306. 	 *            path to the private key file; should not be encrypted

  307. 	 * @param inFront

  308. 	 *            whether to add the new key before other existing keys

  309. 	 * @throws IOException

  310. 	 *             if the file denoted by the {@link Path} {@code key} cannot be

  311. 	 *             read

  312. 	 * @throws GeneralSecurityException

  313. 	 *             if the key contained in the file cannot be read

  314. 	 */

  315. 	public void addHostKey(@NonNull Path key, boolean inFront)

  316. 			throws IOException, GeneralSecurityException {

  317. 		try (InputStream in = Files.newInputStream(key)) {

  318. 			KeyPair pair = SecurityUtils

  319. 					.loadKeyPairIdentities(null,

  320. 							NamedResource.ofName(key.toString()), in, null)

  321. 					.iterator().next();

  322. 			addHostKey(pair, inFront);

  323. 		}

  324. 	}

  325. 

  326. 	/**

  327. 	 * Adds an additional host key to the server.

  328. 	 *

  329. 	 * @param key

  330. 	 *            {@link KeyPair} to add

  331. 	 * @param inFront

  332. 	 *            whether to add the new key before other existing keys

  333. 	 * @since 5.8

  334. 	 */

  335. 	public void addHostKey(@NonNull KeyPair key, boolean inFront) {

  336. 		if (inFront) {

  337. 			hostKeys.add(0, key);

  338. 		} else {

  339. 			hostKeys.add(key);

  340. 		}

  341. 	}

  342. 

  343. 	/**

  344. 	 * Enable password authentication. The server will accept the test user's

  345. 	 * name, converted to all upper-case, as password.

  346. 	 */

  347. 	public void enablePasswordAuthentication() {

  348. 		server.setPasswordAuthenticator((user, pwd, session) -> {

  349. 			return testUser.equals(user)

  350. 					&& testUser.toUpperCase(Locale.ROOT).equals(pwd);

  351. 		});

  352. 	}

  353. 

  354. 	/**

  355. 	 * Enable keyboard-interactive authentication. The server will accept the

  356. 	 * test user's name, converted to all upper-case, as password.

  357. 	 */

  358. 	public void enableKeyboardInteractiveAuthentication() {

  359. 		server.setPasswordAuthenticator((user, pwd, session) -> {

  360. 			return testUser.equals(user)

  361. 					&& testUser.toUpperCase(Locale.ROOT).equals(pwd);

  362. 		});

  363. 		server.setKeyboardInteractiveAuthenticator(

  364. 				DefaultKeyboardInteractiveAuthenticator.INSTANCE);

  365. 	}

  366. 

  367. 	/**

  368. 	 * Retrieves the server's {@link PropertyResolver}, giving access to server

  369. 	 * properties.

  370. 	 *

  371. 	 * @return the {@link PropertyResolver}

  372. 	 * @since 5.9

  373. 	 */

  374. 	public PropertyResolver getPropertyResolver() {

  375. 		return server;

  376. 	}

  377. 

  378. 	/**

  379. 	 * Starts the test server, listening on a random port.

  380. 	 *

  381. 	 * @return the port the server listens on; test clients should connect to

  382. 	 *         that port

  383. 	 * @throws IOException

  384. 	 */

  385. 	public int start() throws IOException {

  386. 		server.start();

  387. 		return server.getPort();

  388. 	}

  389. 

  390. 	/**

  391. 	 * Stops the test server.

  392. 	 *

  393. 	 * @throws IOException

  394. 	 */

  395. 	public void stop() throws IOException {

  396. 		executorService.shutdownNow();

  397. 		server.stop(true);

  398. 	}

  399. 

  400. 	/**

  401. 	 * Sets the test user's public key on the server.

  402. 	 *

  403. 	 * @param key

  404. 	 *            to set

  405. 	 * @throws IOException

  406. 	 *             if the file cannot be read

  407. 	 * @throws GeneralSecurityException

  408. 	 *             if the public key cannot be extracted from the file

  409. 	 */

  410. 	public void setTestUserPublicKey(Path key)

  411. 			throws IOException, GeneralSecurityException {

  412. 		this.testKey = readPublicKey(key);

  413. 	}

  414. 

  415. 	/**

  416. 	 * Sets the test user's public key on the server.

  417. 	 *

  418. 	 * @param key

  419. 	 *            to set

  420. 	 *

  421. 	 * @since 5.8

  422. 	 */

  423. 	public void setTestUserPublicKey(@NonNull PublicKey key) {

  424. 		this.testKey = key;

  425. 	}

  426. 

  427. 	/**

  428. 	 * Sets the lines the server sends before its server identification in the

  429. 	 * initial protocol version exchange.

  430. 	 *

  431. 	 * @param lines

  432. 	 *            to send

  433. 	 * @since 5.5

  434. 	 */

  435. 	public void setPreamble(String... lines) {

  436. 		if (lines != null && lines.length > 0) {

  437. 			PropertyResolverUtils.updateProperty(this.server,

  438. 					ServerFactoryManager.SERVER_EXTRA_IDENTIFICATION_LINES,

  439. 					String.join("|", lines));

  440. 		}

  441. 	}

  442. 

  443. 	private class GitUploadPackCommand extends AbstractCommandSupport {

  444. 

  445. 		protected GitUploadPackCommand(String command,

  446. 				CloseableExecutorService executorService) {

  447. 			super(command, ThreadUtils.noClose(executorService));

  448. 		}

  449. 

  450. 		@Override

  451. 		public void run() {

  452. 			UploadPack uploadPack = new UploadPack(repository);

  453. 			String gitProtocol = getEnvironment().getEnv().get("GIT_PROTOCOL");

  454. 			if (gitProtocol != null) {

  455. 				uploadPack

  456. 						.setExtraParameters(Collections.singleton(gitProtocol));

  457. 			}

  458. 			try {

  459. 				uploadPack.upload(getInputStream(), getOutputStream(),

  460. 						getErrorStream());

  461. 				onExit(0);

  462. 			} catch (IOException e) {

  463. 				log.warn(

  464. 						MessageFormat.format("Could not run {0}", getCommand()),

  465. 						e);

  466. 				onExit(-1, e.toString());

  467. 			}

  468. 		}

  469. 

  470. 	}

  471. 

  472. 	private class GitReceivePackCommand extends AbstractCommandSupport {

  473. 

  474. 		protected GitReceivePackCommand(String command,

  475. 				CloseableExecutorService executorService) {

  476. 			super(command, ThreadUtils.noClose(executorService));

  477. 		}

  478. 

  479. 		@Override

  480. 		public void run() {

  481. 			try {

  482. 				new ReceivePack(repository).receive(getInputStream(),

  483. 						getOutputStream(), getErrorStream());

  484. 				onExit(0);

  485. 			} catch (IOException e) {

  486. 				log.warn(

  487. 						MessageFormat.format("Could not run {0}", getCommand()),

  488. 						e);

  489. 				onExit(-1, e.toString());

  490. 			}

  491. 		}

  492. 

  493. 	}

  494. 

  495. 	/**

  496. 	 * Simple echo command that echoes back the command string. If the first

  497. 	 * argument is a positive integer, it's taken as a delay (in seconds) before

  498. 	 * replying. Assumes UTF-8 character encoding.

  499. 	 */

  500. 	private static class EchoCommand extends AbstractCommandSupport {

  501. 

  502. 		protected EchoCommand(String command,

  503. 				CloseableExecutorService executorService) {

  504. 			super(command, ThreadUtils.noClose(executorService));

  505. 		}

  506. 

  507. 		@Override

  508. 		public void run() {

  509. 			String[] parts = getCommand().split(" ");

  510. 			int timeout = 0;

  511. 			if (parts.length >= 2) {

  512. 				try {

  513. 					timeout = Integer.parseInt(parts[1]);

  514. 				} catch (NumberFormatException e) {

  515. 					// No timeout.

  516. 				}

  517. 				if (timeout > 0) {

  518. 					try {

  519. 						Thread.sleep(TimeUnit.SECONDS.toMillis(timeout));

  520. 					} catch (InterruptedException e) {

  521. 						// Ignore.

  522. 					}

  523. 				}

  524. 			}

  525. 			try {

  526. 				doEcho(getCommand(), getOutputStream());

  527. 				onExit(0);

  528. 			} catch (IOException e) {

  529. 				log.warn(

  530. 						MessageFormat.format("Could not run {0}", getCommand()),

  531. 						e);

  532. 				onExit(-1, e.toString());

  533. 			}

  534. 		}

  535. 

  536. 		private void doEcho(String text, OutputStream stream)

  537. 				throws IOException {

  538. 			stream.write(text.getBytes(StandardCharsets.UTF_8));

  539. 			stream.flush();

  540. 		}

  541. 	}

  542. }